Hi Adam, welcome back :) ----- Original Message ----- From: "Adam Barth" <w3c@adambarth.com> To: "Ian Melven" <imelven@mozilla.com> Cc: "public-webappsec" <public-webappsec@w3.org> Sent: Saturday, January 5, 2013 1:26:42 PM Subject: Re: CSP, unsafe-eval and crypto.generateCRMFRequest > My understanding is that generateCRMFRequest isn't mentioned because > it's a Mozilla-proprietary API. However, your point about the spec > being overly explicit is a good one. Maybe we should add some text > about the intent behind 'unsafe-eval' so it's easier for folks to > decide how to treat future/proprietary APIs? that sounds like a good idea to me. Overall, I think the spec could use more statement of intent for various things that CSP tries to restrict - this would have helped our inline styles implementation, for example. > We can also add some informative text about generateCRMFRequest if that would be useful to > you. well, we already know we have to block it :) we could use it as an example in the general unsafe-eval guidance perhaps.. ian On Fri, Dec 28, 2012 at 9:51 AM, Ian Melven <imelven@mozilla.com> wrote: > > Hi, > > recently Paul Theriault discovered that in Gecko, crypto.generateCRMFRequest bypasses CSP by > allowing script execution from a string when unsafe-eval isn't specified as part of > an applied CSP. > > this has been filed as http://bugzilla.mozilla.org/show_bug.cgi?id=824652 > > there was a suggestion in the bug to add this to the list of eval and friends > blocked by CSP in the spec - i think in general the spec avoids exhaustively listing > all the ways to do things such as eval, but am bringing this up here to see if others > think we should call out this case since it seems like a fairly > easy one to miss. > > thanks ! > ian > >Received on Monday, 7 January 2013 18:04:18 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 January 2013 18:04:19 GMT